Auditing is a key and frequently-mandatory security measure for systems requiring authenticated access. It allows an administrator to view the different activities/tasks that have been performed by different users over a period of time. PowerVC provides built-in support for collecting and retrieving audit data for the compute (nova), block storage (cinder), networking (neutron), image (glance), metering (ceilometer), and validation services. The notable exception is the identity service (keystone), for which PowerVC currently lacks auditing support due to a limitation of OpenStack’s audit middleware. Should you require auditing for identity APIs, you will need to look outside of PowerVC for that (e.g. configure auditing in a proxy or load balancer sitting in front of the PowerVC REST APIs).
PowerVC auditing support works at the API request/response level. This means that each API request and response will be recorded if and when auditing is enabled for a given service. By default, only the compute service has auditing enabled, and then only for create, update, and delete operations (i.e., not read/GETs), to cut down on the volume of data being collected. You may want to further restrict that to only updates, or extend auditing to read operations, etc. This is independently configurable per-service via the powervc-config CLI command. Note: If you experience performance issues, you may want to look at reducing the amount of audit data being collected.
The powervc-config command help is pretty intuitive. Let’s take a look at the syntax:
View the current audit configuration
Run powervc-config general audit to view the audit configuration for all PowerVC services. For a specific service, run powervc-config <service> audit.
Enabling Auditing for all services
To enable auditing for all PowerVC services, run powervc-config general audit –enable –restart. Note that using the –restart flag will restart all the PowerVC services. If you want to prepare the audit configuration but don’t want it to be reflected immediately, you can omit this flag and use /opt/ibm/powervc/bin/powervc-services to restart services when you are ready.
Enabling Auditing for a specific service
If you want to audit only specific services (e.g. storage), then you can run powervc-config storage audit –enable –restart. Run “powervc-config –h” to view the list of all services. Run powervc-config <service> -h to verify that auditing is supported for that service.
Customize Audited Operations
Auditing can be selectively configured for specific operations. The HTTP operations that are currently supported are GET, PUT, POST, DELETE, HEAD, TRACE, OPTIONS, PATCH and CONNECT. To selectively disable auditing for a specific operation, use the –i | --ignore option. For e.g. powervc-config image audit –ignore GET –restart will change the audit configuration for the image service to not audit GET operations. As mentioned before, the --restart flag is required for the audit configuration changes to take effect. Use –ignore NONE to audit all operations, that is, to ignore none of the operations. E.g., run “powervc-config general audit –ignore NONE –restart to set the ignore option to NONE for all services. If auditing is currently disabled, use the –enable option with –ignore to ensure that auditing is enabled with the custom configuration.
Auditing can be disabled for either a single service or all services. This can be achieved using the powervc-config <service> audit –disable command. Use “general” as the service to disable all auditing.
Viewing and Exporting Audit records
The OpenStack telemetry service (ceilometer) is used to store audit data and provides REST APIs for flexible querying. PowerVC has added the powervc-audit-export CLI on top of those REST APIs for improved usability. Let’s take a look at the syntax:
Making Sense of Audit Records
The audit data generated by the PowerVC services follows the Cloud Auditing Data Federation (CADF) standard. This standard defines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. More details on this standard can be found at the Cloud Auditing Data Federation web page.
The below table gives a quick snapshot of how the contents of an audit record are organized:
Security intelligence tools like IBM Qradar could be used for advanced analysis of audit data.
As you can see, PowerVC can help you obtain and review the audit information that’s most helpful to you. If you have questions on this or any other PowerVC subject, comment on this post, on our LinkedIn page, or on Facebook!